SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iFCP: security position



    This is going to be very interseting... How do you plan on using standard
    IPsec clients that have DES as MUST implement when your application that
    sits above it has a MUST NOT implement requirement.  This would be like
    having a protocol that tells layer 3 that it MUST run over Token Ring, but
    MUST NOT run over Ethernet.
    
    These are all policy issues that can be solved by having the end users
    implement appropriate policies, not by standards organizations
    
    Bill
    Sanera Systems Inc.
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Franco Travostino
    Sent: Friday, September 07, 2001 1:31 PM
    To: ips@ece.cmu.edu
    Subject: iFCP: security position
    
    
    
    After the interim meeting, we restate our security coordinates in the
    following terms. Additionally, we have expanded our Irvine slides with
    rationale text and insights that we learnt at the interim meeting. Such
    amended slide set is available at
    ftp://standards.nortelnetworks.com/san/ifcp_security_requirements-v2.pdf
    Comments most welcome.
    
    Keying: IKE
    Pre-shared keys: MUST implement
    Signature key authentication: MAY implement
    Phase-1/Main Mode: MUST implement
    Phase-1/Aggressive Mode: MAY implement
    Phase-2/Quick Mode: MUST implement
    Phase-2/Quick Mode + KE payload: MUST implement
    Identities are IP addresses in all Phase-1/Phase-2 Modes
    
    
    Integrity MAC:
    HMAC-SHA1: MUST implement
    AES (X)CBC MAC: SHOULD implement*
    
    
    Encryption:
    3DES CBC: MUST implement
    AES CTR: SHOULD implement*
    DES: SHOULD NOT implement
    NULL: MUST implement
    
    
    Encapsulation Style:
    Tunnel Mode.
    
    
    (*) IFF there is a Proposed Standard RFC that we can cite by the time we hit
    Last Call. HMAC-SHA1 and 3DES CBC suit us fine otherwise (as justified in
    the slides).
    
    -franco
    iFCP Technical Coordinator
    
    
    
    Franco Travostino, Director Content Internetworking Lab
    Advanced Technology Investments
    Nortel Networks, Inc.
    600 Technology Park
    Billerica, MA 01821 USA
    Tel: 978 288 7708 Fax: 978 288 4690
    email: travos@nortelnetworks.com
    
    


Home

Last updated: Fri Sep 07 19:17:10 2001
6452 messages in chronological order